I need your help again

Discussion in 'Malware Help (A Specialist Will Reply)' started by DBsummit, Feb 5, 2008.

  1. DBsummit

    DBsummit Private E-2

    My mom's computer is the one infected this time. I believe this started about 2-3 weeks ago, the main problems are alerts that there is spyware on the computer, but the alerts are fake and lead to a website in internet explorer to buy some spyware remover (Spy Away & Perfect Cleaner). I've uploaded the three necessary reports.
     

    Attached Files:

    DBsummit, Feb 5, 2008
    #1
  2. abri

    abri MajorGeek

    Hi DBSummit!
    Welcome to Malware!

    Your computer needs work. Please be patient while I go through your logs.
    abri
     
    abri, Feb 5, 2008
    #2
  3. abri

    abri MajorGeek

    Hi DBsummit!
    Your computer has many problems. This may take several steps. You do have at least one keylogger.

    1) Go to add/remove programs and uninstall the below:

    - SearchAssist


    2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
    O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
    O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
    O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
    O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
    O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
    O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
    O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
    O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
    O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
    O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
    O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
    O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
    O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
    O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
    O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
    O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
    O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
    O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
    O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
    O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
    O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
    O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
    O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After you click fix, just close hijackthis.


    3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

    4) Download and install Erunt. Use it to create a backup of your registry.


    5) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    6) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


    Let me know how things are running now?

    abri
     
    abri, Feb 5, 2008
    #3
  4. DBsummit

    DBsummit Private E-2

    I did everything up until The Avenger. After rebooting, the log file that The Avenger was supposed to generate couldn't be found and what opened was a blank text file. So I repeated Step 6 again and rebooted again. Well sometimes my mom's computer likes to freeze at startup before even loading windows (it freezes when the model of the Dell is displayed on the screen in black and white, with the progress bar halfway full). So I had to shut it off with the power button and power it up again, and now I'm stuck at the Welcome Screen. I click on my mom's User profile and it starts to load, but less than a second later, it logs back off again and I'm back at the Welcome Screen. (This is just a wild guess, but I bet it has something to do with the last line of the quote box in Step 6?)
     
    DBsummit, Feb 5, 2008
    #4
  5. abri

    abri MajorGeek

    abri, Feb 6, 2008
    #5
  6. DBsummit

    DBsummit Private E-2

    I completed all of part one in that tutorial and restarted (I can't remember now, but the computer might have froze windows started, and then I had to restart again manually). Finally got into the admnistrator account but now the keyboard and mouse don't work in Windows. They work in the BIOS and in the boot menus. Also, I've tried going into Windows Setup again like in the beginning of Part One on the microsoft tutorial, but for some reason instead of taking me to Setup, it just boots Windows normally and I'm stuck on the Admin account with no keyboard or mouse support until I push the power button again.
     
    DBsummit, Feb 6, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So you are saying you cannot continue past part 1 of Microsoft's instructions because your keyboard and mouse do not work? Is that correct? Are you using a standard type keyboard and mouse or did they require special drivers to work?

    As an FYI if you have the know how, make this CD UBCD4Win and using it makes doing what is in the Microsoft KB article much easier because you can bypass certain steps wind this boot CD is running a copy of Windows that is not the one running when you boot your PC normally from your harddisk. This you can easily move, copy, rename....etc files all around. And this let's you immediately copy files from a System Restore Point folder into a Temp folder where you can renamed them to the correctly formatted names (like in the MS KB article) and then you can directly copy them into the c:\windows\system32\config folder and overwrite the existing files. This is like doing a system restore.
     
    Last edited: Feb 7, 2008
    chaslang, Feb 6, 2008
    #7
  8. DBsummit

    DBsummit Private E-2

    Yes, I cannot continue due to the keyboard and mouse not being recognized by Windows. They are standard USB ones.

    Also, I forgot to mention that when I was manually copying and deleting files from the command line, when I typed this line in: "copy c:\windows\repair\system c:\windows\system32\config\system" it said that it couldn't be found, so I used "dir c:\windows\repair" to see the list of files in the repair folder and saw one called (I believe) system.bak and I copied that one to the config folder instead.
     
    DBsummit, Feb 7, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you booting in safe mode or normal mode?

    Did you rename the system.bak file to system? If not, you need to go back to the recovery console and go to the c:\windows\system32\config folder and rename the system.bak file to system

    If you don't know how to do the above, you could just do what you did last time, but change the copy command to the below.

    copy c:\windows\repair\system.bak c:\windows\system32\config\system


    Note it may still be easier if you looked into creating the UBCD4Win disk I mentioned. And use it to boot your PC and alto copy the files mentioned directly from one of your restore points (from before this problem began). For example (just an example) you could directly copy files from

    C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP30\Snapshot

    directly into the c:\windows\system32\config folder and then you could just simple rename them to the proper file names. That is:
    • Rename _REGISTRY_USER_.DEFAULT to DEFAULT
    • Rename _REGISTRY_MACHINE_SECURITY to SECURITY
    • Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
    • Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
    • Rename _REGISTRY_MACHINE_SAM to SAM
    The Explorer2 utility in UBCD4Win allows you to have two folders open at the same time and you can directly copy between the two windows and easily rename files just like you would with Windows Explorer.
     
    chaslang, Feb 7, 2008
    #9
  10. DBsummit

    DBsummit Private E-2

    I tried booting in normal and various safe modes, all of them have the same problem.


    I did rename system.bak to system when I did that.

    I suppose I can look into UBCD4Win, unfortunately my burner doesn't work, so I'll have to use my dad's computer for that. If that works, then awesome, but if it doesn't, I suppose my last resort is to format everything and start over.
     
    DBsummit, Feb 7, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like drivers that are required for the USB keyboard and mouse are not being loaded.

    I have used this before and it is quite handy. See detailed instructions for creating the disk here: http://www.ubcd4win.com/howto.htm

    I'm assuming that what it loads at startup will allow your keyboard and mouse to work.
     
    chaslang, Feb 8, 2008
    #11
  12. DBsummit

    DBsummit Private E-2

    Okay, I officially love UBCD4Win. I went into recovery console and changed the registry back to what it was when it wouldn't let me log on but the mouse and keyboard still worked. Then I burned a copy of UBCD4Win and followed this tutorial here:http://windowsxp.mvps.org/peboot.htm.

    I am now posting while logged on to my mom's computer, mouse and keyboard fully working.

    I do have the new logs, but for some reason though, the link to upload the attachments is no longer a link any more...is there something wrong with the forums?

    EDIT: I realized it was firefox on here that doesn't seem to be working right, I'll use Internet Explorer to attach the files.

    EDIT 2: And now it works again... strange.
     

    Attached Files:

    DBsummit, Feb 18, 2008
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I knew you would like UBCD4win. ;) It is in my toolkit!

    Okay now let's see if we can get the rest of the malware removed. Those BHO's are being rather stubborn. Normally this means the registry ownership of the keys has been modified. Let's try the below again with HijackThis and we will follow it with a redundant fix using ComboFix.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
    O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
    O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
    O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
    O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
    O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
    O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
    O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
    O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
    O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
    O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
    O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
    O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
    O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
    O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
    O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
    O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
    O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
    O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
    O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
    O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
    O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
    O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    File::
C:\WINDOWS\17PHolmes72.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
 
Folder::
C:\WINDOWS\system32\acespy
 
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12F02779-6D88-4958-8AD3-83C12D86ADC7}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Feb 22, 2008
    chaslang, Feb 19, 2008
    #13
  14. DBsummit

    DBsummit Private E-2

    Well, I haven't spent much time on this computer nor do I have much time to spend on it, but so far so good. No pop ups have showed up.

    The printer doesn't seem to be working, but it probably just needs to install the drivers again.

    EDIT: I guess it just needed to be unplugged from the power and reconnected again...

    Thank you very much for your help.
     

    Attached Files:

    DBsummit, Feb 20, 2008
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have one more malware service to remove.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
ghxbrccc

File::
C:\WINDOWS\system32\drivers\ndlvvklo.sys
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 22, 2008
    #15
  16. DBsummit

    DBsummit Private E-2

    Okay, here are the most recent logs.

    Everything seems to be working just like it was before. There is one problem this computer has been having for a long time that I haven't been able to figure out though... the sound works on stuff offline such as music and video files, but it never works on the internet, with firefox or internet explorer. That has nothing to do with malware though I don't think, the one thing I haven't tried yet is trying to re-install the drivers for it, I guess I should probably try that before asking for help with it somewhere.

    EDIT: Okay, I have the sound working correctly again. It turns out the default sound device that was being used was "Modem Line #0" for some reason... I changed it to SigmaTel Audio and it works again. Now there are no problems at all. :D
     

    Attached Files:

    DBsummit, Feb 23, 2008
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Feb 23, 2008
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds